On Thu, Nov 29, 2018 at 02:52:32PM +0100, Michal Privoznik wrote:
Our code is not bug free. The refcounting I introduced will almost certainly not work in some use cases. Provide a script that will remove all the XATTRs set by libvirt so that it can start cleanly.
On this point, it would be a nice idea to be able to write some unit tests to exercise the security drivers, as this is something we're significantly lacking coverage of. With mocking of the chown/setxattr/etc methods we can easily detect some ofthe bugs you fixed here, such as forgetting to restore labels of certain resource types.
Signed-off-by: Michal Privoznik <mprivozn@redhat.com> --- tools/Makefile.am | 1 + tools/libvirt_recover_xattrs.sh | 89 +++++++++++++++++++++++++++++++++ 2 files changed, 90 insertions(+) create mode 100755 tools/libvirt_recover_xattrs.sh
diff --git a/tools/Makefile.am b/tools/Makefile.am index f069167acc..1dc009c4fb 100644 --- a/tools/Makefile.am +++ b/tools/Makefile.am @@ -75,6 +75,7 @@ EXTRA_DIST = \ virt-login-shell.conf \ virsh-edit.c \ bash-completion/vsh \ + libvirt_recover_xattrs.sh \ $(PODFILES) \ $(MANINFILES) \ $(NULL)
+XATTRS=("trusted.libvirt.security.dac" + "trusted.libvirt.security.ref_dac" + "trusted.libvirt.security.selinux" + "trusted.libvirt.security.ref_selinux")
Needs updating to account for FreeBSD naming now Regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|